cookbooks/mu-master/recipes/sssd.rb
#
# Cookbook Name:: mu-master
# Recipe:: sssd
#
# Copyright:: Copyright (c) 2014 eGlobalTech, Inc., all rights reserved
#
# Licensed under the BSD-3 license (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License in the root of the project or at
#
# http://egt-labs.com/mu/LICENSE.html
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
include_recipe 'mu-master::firewall-holes'
include_recipe "mu-master::389ds"
package "sssd"
package "sssd-ldap"
package "sssd-client"
package "nss-pam-ldapd" do
action :remove
end
package "pam_ldap" do
action :remove
end
package "dbus"
service "messagebus" do
action [:enable, :start]
end
package "nscd"
service "nscd" do
action [:disable, :stop]
end
package "oddjob-mkhomedir"
execute "restorecon -r /usr/sbin"
service "sshd" do
action :nothing
end
# SELinux Policy for oddjobd and its interaction with syslogd
cookbook_file "syslogd_oddjobd.pp" do
path "#{Chef::Config[:file_cache_path]}/syslogd_oddjobd.pp"
end
execute "Add oddjobd and syslogd interaction to SELinux allow list" do
command "/usr/sbin/semodule -i syslogd_oddjobd.pp"
cwd Chef::Config[:file_cache_path]
not_if "/usr/sbin/semodule -l | grep syslogd_oddjobd"
notifies :restart, "service[oddjobd]", :delayed
end
service "oddjobd" do
start_command "sh -x /etc/init.d/oddjobd start" if %w{redhat centos}.include?(node['platform']) && node['platform_version'].to_i == 6 # seems to actually work
action [:enable, :start]
end
package "authconfig"
execute "LC_ALL=C /usr/sbin/authconfig --disablenis --disablecache --disablewinbind --disablewinbindauth --enablemkhomedir --disablekrb5 --enablesssd --enablesssdauth --enablelocauthorize --disableforcelegacy --disableldap --disableldapauth --updateall" do
notifies :restart, "service[oddjobd]", :immediately
notifies :reload, "service[sshd]", :delayed
not_if "grep pam_sss.so /etc/pam.d/password-auth"
end
directory "/var/log/sssd" do
mode 0750
recursive true
end
service "sssd" do
action :nothing
notifies :restart, "service[sshd]", :immediately
end
template "/etc/sssd/sssd.conf" do
source "sssd.conf.erb"
mode 0600
owner "root"
group "root"
notifies :restart, "service[sssd]", :immediately
variables(
:base_dn => $MU_CFG['ldap']['base_dn'],
:user_ou => $MU_CFG['ldap']['user_ou'],
:dcs => $MU_CFG['ldap']['dcs']
)
end
service "sssd" do
action [:enable, :start]
notifies :restart, "service[sshd]", :immediately
end